<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta content="Cask Data, Inc." name="author" />
<meta content="Copyright © 2016-2017 Cask Data, Inc." name="copyright" />


    <meta name="git_release" content="6.1.1">
    <meta name="git_hash" content="05fbac36f9f7aadeb44f5728cea35136dbc243e5">
    <meta name="git_timestamp" content="2020-02-09 08:22:47 +0800">
    <title>Impersonation</title>

    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap-theme.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/bootstrap-sphinx.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-dynamicscrollspy-4.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/abixTreeList-2.css" type="text/css" />
    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />

    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '',
        VERSION:     '6.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  false
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>

    <link rel="shortcut icon" href="../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="top" title="Cask Data Application Platform 6.1.1 Documentation" href="../index.html" />
    <link rel="up" title="Security" href="index.html" />
    <link rel="next" title="Enabling SSL for System Services" href="system-services.html" />
    <link rel="prev" title="Authorization" href="authorization.html" />
    <!-- block extrahead -->
    <meta charset='utf-8'>
    <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
    <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
    <meta name="apple-mobile-web-app-capable" content="yes">
    <!-- block extrahead end -->

</head>
<body role="document">

<!-- block navbar -->
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
    <div class="container-fluid">
      <div class="row">
        <div class="navbar-header">
          <!-- .btn-navbar is used as the toggle for collapsed navbar content -->
          <a class="navbar-brand" href="../table-of-contents/../../index.html">
            <span><img alt="CDAP logo" src="../_static/cdap_logo.svg"/></span>
          </a>

          <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>

          <div class="pull-right">
            <div class="dropdown version-dropdown">
              <a href="#" class="dropdown-toggle" data-toggle="dropdown"
                role="button" aria-haspopup="true" aria-expanded="false">
                v 6.1.1 <span class="caret"></span>
              </a>
              <ul class="dropdown-menu">
                <li><a href="//docs.cdap.io/cdap/5.1.2/en/index.html">v 5.1.2</a></li>
                <li><a href="//docs.cdap.io/cdap/4.3.4/en/index.html">v 4.3.4</a></li>
              </ul>
            </div>
          </div>
          <form class="navbar-form navbar-right navbar-search" action="../search.html" method="get">
            <div class="form-group">
              <div class="navbar-search-image material-icons"></div>
              <input type="text" name="q" class="form-control" placeholder="  Search" />
            </div>
            <input type="hidden" name="check_keywords" value="yes" />
            <input type="hidden" name="area" value="default" />
          </form>

          <div class="collapse navbar-collapse nav-collapse navbar-right navbar-navigation">
            <ul class="nav navbar-nav"><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../index.html">简介</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link current" href="../table-of-contents/../../guides.html">手册</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../reference-manual/index.html">参考</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../faqs/index.html">帮助</a></li>
            </ul>
          </div>

        </div>
      </div>
    </div>
  </div><!-- block navbar end -->
<!-- block main content -->
<div class="main-container container">
  <div class="row"><div class="col-md-2">
      <div id="sidebar" class="bs-sidenav scrollable-y-outside" role="complementary">
<!-- theme_manual: admin-manual -->
<!-- theme_manual_highlight: guides -->
<!-- sidebar_title_link: ../table-of-contents/../../guides.html -->

  <div role="note" aria-label="manuals links"><h3><a href="../table-of-contents/../../guides.html">Guides</a></h3>

    <ul class="this-page-menu">
      <li class="toctree-l1"><a href="../table-of-contents/../../user-guide/index.html" rel="nofollow">用户手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../developer-manual/index.html" rel="nofollow">开发手册</a>
      </li>
      <li class="toctree-l1"><b><a href="../table-of-contents/../../admin-manual/index.html" rel="nofollow">管理手册</a></b>
      <nav class="pagenav">
      <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../index.html"> Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-components.html"> CDAP Components</a></li>
<li class="toctree-l1"><a class="reference internal" href="../deployment-architectures.html"> Deployment Architectures</a></li>
<li class="toctree-l1"><a class="reference internal" href="../hadoop-compatibility.html"> Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-hadoop-compatibility.html"> CDAP and Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../system-requirements.html"> System Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html"> Installation</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../installation/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/emr.html">Amazon EMR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/azure-hdinsight.html">Microsoft Azure HDInsight</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/packages.html">Packages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/replication.html">Replication</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../incompatibilities.html"> Incompatibilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="../upgrading/index.html"> Upgrading</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/packages.html">Packages</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html"> Security</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="perimeter-security.html">Perimeter Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="authorization.html">Authorization</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Impersonation</a></li>
<li class="toctree-l2"><a class="reference internal" href="system-services.html">Enabling SSL for System Services</a></li>
<li class="toctree-l2"><a class="reference internal" href="secure-storage.html">Secure Storage</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../operations/index.html"> Operations</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../operations/logging.html"> Logging and Monitoring</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/metrics.html"> Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/operations-dashboard.html"> Dashboard and Reports</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/preferences.html"> Preferences and Runtime Arguments</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/scaling-instances.html"> Scaling Instances</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/resource-guarantees.html"> Resource Guarantees in YARN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/tx-maintenance.html"> Transaction Service Maintenance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/cdap-ui.html"> CDAP UI</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appendices/index.html"> Appendices</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-site.html"> Appendix: cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-security.html"> Appendix: cdap-security.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/minimal-cdap-site.html"> Appendix: Minimal cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/hbase-ddl-executor.html"> Appendix: HBaseDDLExecutor</a></li>
</ul>
</li>
</ul>
</nav>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../integrations/index.html" rel="nofollow">集成手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../examples-manual/index.html" rel="nofollow">最佳实践</a>
      </li>
    </ul>
  </div></div>
    </div><div class="col-md-8 content" id="main-content">
    
  <div class="section" id="impersonation">
<span id="admin-impersonation"></span><h1>Impersonation<a class="headerlink" href="#impersonation" title="Permalink to this headline">🔗</a></h1>
<p>Impersonation allows users to run programs and access datasets, streams, and other
resources as pre-configured users (a <em>principal</em>). Currently, CDAP supports configuring
impersonation at a namespace and at an application level, with application level
configuration having a higher precedence than namespace level.</p>
<p>Namespace-level impersonation means that every namespace has a single principal that all
programs in that namespace run as, and that resources are accessed as.</p>
<p>Application-level impersonation which means that every application has a single principal
that all programs in that application run as, and that resources are accessed as. Any
streams or datasets created by the application would be owned by that user.</p>
<p>Streams and datasets created outside of an application can be created with a principal;
otherwise, they would be owned by the principal defined for the namespace in which they
are created.</p>
<div class="section" id="requirements">
<h2>Requirements<a class="headerlink" href="#requirements" title="Permalink to this headline">🔗</a></h2>
<p>To utilize this feature, <a class="reference external" href="http://kerberos.org">Kerberos</a> must be enabled on the cluster and
configured in <a class="reference internal" href="../appendices/cdap-site.html#appendix-cdap-site-xml"><span class="std std-ref">cdap-site.xml</span></a>, using the parameter <code class="docutils literal notranslate"><span class="pre">kerberos.auth.enabled</span></code>.</p>
<p>To configure a namespace to have impersonation, specify the Kerberos <code class="docutils literal notranslate"><span class="pre">principal</span></code> and
<code class="docutils literal notranslate"><span class="pre">keytabURI</span></code> in the <span class="xref std std-ref">namespace configuration</span>.
The keytab file (the “keytab”) must be readable by the CDAP user and can be on either the local file system
of the CDAP Master or on HDFS. If the keytab is on HDFS, prefix the path with <code class="docutils literal notranslate"><span class="pre">hdfs://</span></code>.
If CDAP Master is <a class="reference internal" href="../deployment-architectures.html#admin-manual-install-deployment-architectures-ha"><span class="std std-ref">HA-enabled</span></a>,
and the local file system is used, the keytab must be on all local file systems used with
the CDAP Master instances.</p>
<p>If these are not specified, the principal and keytab of the CDAP Master user will be used
instead. These are defined by the properties <code class="docutils literal notranslate"><span class="pre">cdap.master.kerberos.principal</span></code> and
<code class="docutils literal notranslate"><span class="pre">cdap.master.kerberos.keytab</span></code> respectively in the <a class="reference internal" href="../appendices/cdap-site.html#appendix-cdap-default-security"><span class="std std-ref">cdap-site.xml file</span></a>.</p>
<p>The configured Kerberos principal must have been granted permissions for the operations
that will occur in that namespace. For instance, if a <a class="reference external" href="../../../developer-manual/building-blocks/namespaces.html#namespaces-custom-mapping" title="(in Cask Data Application Platform v6.1.1)"><span class="xref std std-ref">custom HBase namespace</span></a> is configured, the configured principal must have privileges
to create tables within that HBase namespace. If no custom HBase namespace is specified,
the configured principal must have privileges to create namespaces.</p>
<p>Because of this, it is simplest to specify a custom mapping for <code class="docutils literal notranslate"><span class="pre">root.directory</span></code> and
<code class="docutils literal notranslate"><span class="pre">hbase.namespace</span></code> when using impersonation so that the privileges granted to the
configured principal can be kept to a minimum.</p>
<div class="section" id="hdfs-permissions">
<h3>HDFS Permissions<a class="headerlink" href="#hdfs-permissions" title="Permalink to this headline">🔗</a></h3>
<p>In the case of impersonation, <em>every user who can be impersonated</em> will need access to
their corresponding HDFS <code class="docutils literal notranslate"><span class="pre">/user/&lt;username&gt;</span></code> directory. The commands for this are
described in the installation section for each distribution (<a class="reference internal" href="../installation/cloudera.html#cloudera-hdfs-permissions"><span class="std std-ref">Cloudera Manager</span></a>, <a class="reference internal" href="../installation/ambari.html#ambari-hdfs-permissions"><span class="std std-ref">Ambari</span></a>,
<a class="reference internal" href="../installation/mapr.html#mapr-hdfs-permissions"><span class="std std-ref">MapR</span></a>, and <a class="reference internal" href="../installation/packages.html#packages-hdfs-permissions"><span class="std std-ref">packages</span></a>).</p>
<p>Note that you can use the HDFS command <code class="docutils literal notranslate"><span class="pre">hdfs</span> <span class="pre">groups</span> <span class="pre">[username</span> <span class="pre">...]</span></code> to confirm that the
groups are set correctly, and that external security services such as LDAP are configured
correctly.</p>
</div>
<div class="section" id="application-level-impersonation">
<h3>Application-level Impersonation<a class="headerlink" href="#application-level-impersonation" title="Permalink to this headline">🔗</a></h3>
<p>To use application-level impersonation in CDAP—where applications, datasets, and streams have
their own owner and the operations performed in CDAP impersonate their respective
owners—CDAP needs to have access to the owner principal and their associated keytabs.</p>
<p>For user’s keytab access, CDAP uses these conventions:</p>
<ul>
<li><p class="first">All keytabs must be present on the local filesystem of nodes on which the CDAP Master is running.</p>
</li>
<li><p class="first">These keytabs must be present under a path which can be in one of these formats
and the <code class="docutils literal notranslate"><span class="pre">cdap</span></code> system user should have read access to all of the keytabs:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span>/<span class="nt">&lt;dir-1&gt;</span>/<span class="nt">&lt;dir-2&gt;</span>/${name}.keytab
/<span class="nt">&lt;dir-1&gt;</span>/<span class="nt">&lt;dir-2&gt;</span>/${name}/${name}.keytab
</pre></div>
</div>
</li>
<li><p class="first">The above path is provided to CDAP as a configuration parameter in the <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>
file, such as:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>security.keytab.path<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>/etc/security/keytabs/${name}.keytab<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
</pre></div>
</div>
<p>where <code class="docutils literal notranslate"><span class="pre">${name}</span></code> will be replaced by CDAP by the short user name of the Kerberos
principal CDAP is impersonating.</p>
<p><strong>Note:</strong> You will need to restart CDAP for this configuration change to take effect.</p>
</li>
</ul>
<p>Owner principal of an entity is provided either when an entity is created using the CDAP
CLI or the RESTful APIs or when an application creates them.</p>
</div>
<div class="section" id="hive-configuration">
<h3>Hive Configuration<a class="headerlink" href="#hive-configuration" title="Permalink to this headline">🔗</a></h3>
<p>In order for Hive to work with impersonation, one of the following approaches can be used:</p>
<ul class="simple">
<li>Hive Proxy Users; or</li>
<li>Hive SQL-based Authorization</li>
</ul>
<p><strong>Hive Proxy Users</strong></p>
<p>To configure Hive to be able to impersonate other users, set in <code class="docutils literal notranslate"><span class="pre">hive-site.xml</span></code> the property:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hive.server2.enable.doAs<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>true<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
</pre></div>
</div>
<p>Note that the CDAP Explore service ignores this setting and needs to be able to
impersonate users who can create and access entities in CDAP. This can by done by adding
properties in your <code class="docutils literal notranslate"><span class="pre">core-site.xml</span></code>. The first property allows Hive to impersonate users
belonging to <code class="docutils literal notranslate"><span class="pre">group1</span></code> and <code class="docutils literal notranslate"><span class="pre">group2</span></code> and the second property allows Hive to impersonate
on all hosts:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hadoop.proxyuser.hive.groups<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>group1,group2<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>

<span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hadoop.proxyuser.hive.hosts<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>*<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
</pre></div>
</div>
<p>See <a class="reference external" href="http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hive_metastore_security.html">Cloudera documentation</a>
for additional details.</p>
<p><strong>Hive SQL-based Authorization</strong></p>
<p>An alternative to the above is to use SQL-based authorization. Add these properties to
your <code class="docutils literal notranslate"><span class="pre">hive-site.xml</span></code>:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hive.server2.enable.doAs<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>false<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
<span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hive.security.authorization.manager<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
<span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hive.security.authorization.enabled<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>true<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
<span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hive.security.authenticator.manager<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>org.apache.hadoop.hive.ql.security.ProxyUserAuthenticator<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
</pre></div>
</div>
<p>Note your hive-site.xml should also be configured to support modifying properties at
runtime. Specifically, you will need this configuration in your <code class="docutils literal notranslate"><span class="pre">hive-site.xml</span></code>:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;property&gt;</span>
    <span class="nt">&lt;name&gt;</span>hive.security.authorization.sqlstd.confwhitelist.append<span class="nt">&lt;/name&gt;</span>
    <span class="nt">&lt;value&gt;</span>explore.*|mapreduce.job.queuename|mapreduce.job.complete.cancel.delegation.tokens|spark.hadoop.mapreduce.job.complete.cancel.delegation.tokens|mapreduce.job.credentials.binary|hive.exec.submit.local.task.via.child|hive.exec.submitviachild|hive.lock.*<span class="nt">&lt;/value&gt;</span>
<span class="nt">&lt;/property&gt;</span>
</pre></div>
</div>
<p>After adding these properties to your <code class="docutils literal notranslate"><span class="pre">hive-site.xml</span></code> file, restart Hive.</p>
</div>
<div class="section" id="cdap-authorization">
<h3>CDAP Authorization<a class="headerlink" href="#cdap-authorization" title="Permalink to this headline">🔗</a></h3>
<p>Impersonation works with CDAP Authorization, and if it is enabled, it will be enforced.
For details, see the sections on enabling on <a class="reference internal" href="authorization.html#admin-authorization"><span class="std std-ref">enabling authorization in CDAP and
managing privileges</span></a>.</p>
</div>
</div>
<div class="section" id="limitations">
<h2>Limitations<a class="headerlink" href="#limitations" title="Permalink to this headline">🔗</a></h2>
<p>The configured HDFS delegation token timeout must be longer than the configured stream
partition duration (<code class="docutils literal notranslate"><span class="pre">stream.partition.duration</span></code>), which has a default value of
one hour (3600000). It must also be larger than the log saver’s maximum file
lifetime (<code class="docutils literal notranslate"><span class="pre">log.saver.max.file.lifetime.ms</span></code>), which has a value of six hours (21600000).</p>
</div>
<div class="section" id="known-issues">
<h2>Known Issues<a class="headerlink" href="#known-issues" title="Permalink to this headline">🔗</a></h2>
<ul class="simple">
<li><a class="reference external" href="https://issues.cask.co/browse/CDAP-8140">CDAP-8140</a> - Explore is not supported when impersonation is enabled with Hive 0.13.</li>
</ul>
</div>
</div>

</div>
    <div class="col-md-2">
      <div id="right-sidebar" class="bs-sidenav scrollable-y" role="complementary">
        <div id="localtoc-scrollspy">
        </div>
      </div>
    </div></div>
</div>
<!-- block main content end -->
<!-- block footer -->
<footer class="footer">
      <div class="container">
        <div class="row">
          <div class="col-md-2 footer-left"><a title="Authorization" href="authorization.html" />Previous</a></div>
          <div class="col-md-8 footer-center"><a class="footer-tab-link" href="../table-of-contents/../../reference-manual/licenses/index.html">Copyright</a> &copy; 2014-2020 Cask Data, Inc.&bull; <a class="footer-tab-link" href="//docs.cask.co/cdap/6.1.1/cdap-docs-6.1.1-web.zip" rel="nofollow">Download</a> an archive or
<a class="footer-tab-link" href="//docs.cask.co/cdap">switch the version</a> of the documentation
          </div>
          <div class="col-md-2 footer-right"><a title="Enabling SSL for System Services" href="system-services.html" />Next</a></div>
        </div>
      </div>
    </footer>
<!-- block footer end -->
<script type="text/javascript" src="../_static/bootstrap-3.3.6/js/bootstrap.min.js"></script><script type="text/javascript" src="../_static/js/bootstrap-sphinx.js"></script><script type="text/javascript" src="../_static/js/abixTreeList-2.js"></script><script type="text/javascript" src="../_static/js/cdap-dynamicscrollspy-4.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script><script type="text/javascript" src="../_static/js/copy-to-clipboard.js"></script><script type="text/javascript" src="../_static/js/jquery.mousewheel.min.js"></script><script type="text/javascript" src="../_static/js/jquery.mCustomScrollbar.js"></script><script type="text/javascript" src="../_static/js/js.cookie.js"></script><script type="text/javascript" src="../_static/js/tabbed-parsed-literal-0.2.js"></script><script type="text/javascript" src="../_static/js/cdap-onload-javascript.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script>
    <script src="https://cdap.gitee.io/docs/cdap/json-versions.js"/></script>
  </body>
</html>